ID: 33752 User updated by: mordae at mordae dot net Reported By: mordae at mordae dot net -Status: Feedback +Status: Open Bug Type: Feature/Change Request Operating System: all POSIX PHP Version: 4.3.11 New Comment:
For the first, we all know what PHP does in so-called safe_mode. When using PHP as web server module and create directory or file, it is owned by user running web server, so we have to keep eyes on it's mode. Usually 0757 (0646) is needed. If we use safe_mode, we end up with unaccessible files, because UIDs doesn't match. There has to be some solution of this problem in PHP. I have seen many other, but none seems to be used. What about this one: Add php.ini directive, that will make PHP check UID of all parent directories of accessed file and if any of parent directory is owned by scripts owner, allow access. To improve security, you could also check if all sub-directories are owned by the user, who runs PHP (server) or - again - script owner. See Titov's patch at http://titov.net/safemodepatch/ he probably did it. The problem is, that it's not official and no webhosting is using it. Thank you Mordae And I do apologize. Previous Comments: ------------------------------------------------------------------------ [2005-07-18 19:36:15] [EMAIL PROTECTED] >For the first, we all know what PHP does in (un)safe_mode. So tell us, if you know. >There has to be some solution of this problem. What problem? >You have disagreed with all previous What are you talking about? ------------------------------------------------------------------------ [2005-07-18 17:44:19] mordae at mordae dot net Description: ------------ For the first, we all know what PHP does in (un)safe_mode. There has to be some solution of this problem. You have disagreed with all previous, so what about this one: Add php.ini directive, that will make PHP check UID of all parent directories of accessed file in addition of file's and if any of parent directories are owned by correct user, allow access. To improve security, you could also check if all directories "above" are owned by the user, who runs PHP. See Titov's patch at http://titov.net/safemodepatch/ Thank you Mordae ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33752&edit=1
